Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Hijack This list as sugested [RESOLVED]

BMAC23

Posted 25 April 2008 - 12:07 PM

BMAC23

Member

Member

11 posts

I posted in another forum and was told to come here. i followed all the malware/spyware/virus steps in the "You Must Read this"

My issue: one day, every after-market program I have (and some of the ones that came with the computer) stopped working. They no longer appear on my add/remove programs list and do not give me an uninstall option in my programs folder. When opened, they ask for serial numbers, when the serial numbers are typed in they say they are not installed properly (or a variation on that theme), when I attempt to re-install they say they cannot because the programs have not been uninstalled and I am back to the beginning.

Also, all of my outlook express mail accounts were erased. I still have the .dbx files, but they do not import even after following the steps correctly (I have done this step many times before).

I had previously installed the Windows Service Packs, but tried to do so again (as per instructions in "You Must Read This"), but they also failed to install.

Event Record #/Type252 / WarningEvent Submitted/Written: 04/25/2008 10:42:31 AMEvent ID/Source: 1524 / UserenvEvent Description:Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type853 / WarningEvent Submitted/Written: 04/25/2008 11:47:03 AMEvent ID/Source: 3004 / WinDefendEvent Description:%YOUR-4DACD0EA7527 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-4DACD0EA7527 can't undo changes that you allow.

For more information please see the following:%YOUR-4DACD0EA75275

Scan ID: {D7C4FE8D-5AB2-47C3-87AB-853F33116C61}

User: YOUR-4DACD0EA75\Compaq_Administrator

Name: %YOUR-4DACD0EA75271

ID: %YOUR-4DACD0EA75272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %YOUR-4DACD0EA75276

Alert Type: %YOUR-4DACD0EA75278

Detection Type: 1.1.1593.02

Event Record #/Type852 / WarningEvent Submitted/Written: 04/25/2008 11:47:03 AMEvent ID/Source: 3004 / WinDefendEvent Description:%YOUR-4DACD0EA7527 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-4DACD0EA7527 can't undo changes that you allow.

For more information please see the following:%YOUR-4DACD0EA75275

Scan ID: {4CD37970-D379-4A9B-AF4E-2E32CFBBDA06}

User: YOUR-4DACD0EA75\Compaq_Administrator

Name: %YOUR-4DACD0EA75271

ID: %YOUR-4DACD0EA75272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %YOUR-4DACD0EA75276

Alert Type: %YOUR-4DACD0EA75278

Detection Type: 1.1.1593.02

Event Record #/Type851 / WarningEvent Submitted/Written: 04/25/2008 11:47:03 AMEvent ID/Source: 3004 / WinDefendEvent Description:%YOUR-4DACD0EA7527 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-4DACD0EA7527 can't undo changes that you allow.

For more information please see the following:%YOUR-4DACD0EA75275

Scan ID: {D0070489-E887-4A81-B271-266AA76164E7}

User: YOUR-4DACD0EA75\Compaq_Administrator

Name: %YOUR-4DACD0EA75271

ID: %YOUR-4DACD0EA75272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %YOUR-4DACD0EA75276

Alert Type: %YOUR-4DACD0EA75278

Detection Type: 1.1.1593.02

Event Record #/Type850 / WarningEvent Submitted/Written: 04/25/2008 11:47:01 AMEvent ID/Source: 3004 / WinDefendEvent Description:%YOUR-4DACD0EA7527 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-4DACD0EA7527 can't undo changes that you allow.

For more information please see the following:%YOUR-4DACD0EA75275

Scan ID: {4B4760A8-4776-4773-AF31-5720A8C75A24}

User: YOUR-4DACD0EA75\Compaq_Administrator

Name: %YOUR-4DACD0EA75271

ID: %YOUR-4DACD0EA75272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %YOUR-4DACD0EA75276

Alert Type: %YOUR-4DACD0EA75278

Detection Type: 1.1.1593.02

Event Record #/Type849 / WarningEvent Submitted/Written: 04/25/2008 11:47:01 AMEvent ID/Source: 3004 / WinDefendEvent Description:%YOUR-4DACD0EA7527 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-4DACD0EA7527 can't undo changes that you allow.

For more information please see the following:%YOUR-4DACD0EA75275

Scan ID: {9AF6D8E6-E49C-4A1B-AB9E-5E815F5F8BD5}

User: YOUR-4DACD0EA75\Compaq_Administrator

Name: %YOUR-4DACD0EA75271

ID: %YOUR-4DACD0EA75272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %YOUR-4DACD0EA75276

Alert Type: %YOUR-4DACD0EA75278

Detection Type: 1.1.1593.02

-- End of Deckard's System Scanner: finished at 2008-04-25 11:47:20 ------------

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

====STEP 2====Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.

====STEP 3====could you delete the current version of malwarebytes you have and follow these instructions:

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select "Perform Full Scan", then click Scan.

The scan may take some time to finish,so please be patient.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

andrewuk

Posted 26 April 2008 - 09:57 AM

the kaspersky scan found a number of false positives but also one infected file which we will clear in the post following this. in this post we will run another scan and fix your file associations.

firstly, could you disable your windows defender, it may get in the way of the scan in this post.

====STEP 1====click on Start, click on Runcopy and paste the following in bold in the open window and then click OK"%userprofile%\desktop\dss.exe" /daftThis will open up Deckard's File Association Tool

Click on the Scan button.

Select everything it is displaying there

Click the Fix button.

Then rescan with DAFT again - it should say now that "All associations are OK"

Close DAFT if you receive that message. This means that it is fixed now.

if the program fails to load then try this Please download DAFT and save it to your desktop and Double-click the daft.exe icon, and then follow the above instructions from "Click on the Scan button".

====STEP 2====Then, Please visit this webpage for instructions for downloading and running ComboFix:

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

for more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058. once you install the Recovery Console, when you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. that is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

====STEP 2====Jotti File Submission:

Please go to Jotti's malware scanCopy and paste the following file path into the "File to upload & scan"box on the top of the page:C:\WINDOWS\system32\spmsg2.dll

Click on the submit button

Please also do the same with the following file (it is all one file, so just highlight it all and copy in):C:\WINDOWS\system32\drivers\103C_HP_CPC_RE476AA-ABA SR2050NX NA680_YC_0Pres_QCNH641_E64NAemREA3_48_IAsterope3_SHewleet-Packard_V1.0_B3.16_T060622_WXP2_L409_M960_J250_7Intel_8Pentium D_92.8_#061213_N10EC8139_Z14F12F20_G10025A61.MRK

If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

Under "Configuration and Preferences", click the Preferences button.

Click the Scanning Control tab.

Under Scanner Options make sure the following are checked (leave all others unchecked):

Close browsers before scanning.

Scan for tracking cookies.

Terminate memory threats before quarantining.

Click the "Close" button to leave the control center screen.

Back on the main screen, under "Scan for Harmful Software" click Scan your computer.

On the left, make sure you check C:\Fixed Drive.

On the right, under "Complete Scan", choose Perform Complete Scan.

Click "Next" to start the scan. Please be patient while it scans your computer.

After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".

Make sure everything has a checkmark next to it and click "Next".

A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.

If asked if you want to reboot, click "Yes".

To retrieve the removal information after reboot, launch SUPERAntispyware again.

Click Preferences, then click the Statistics/Logs tab.

Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.

Please copy and paste the Scan Log results in your next reply.

Click Close to exit the program.

In your next reply could i see:1. the 2 complete jotti reports2. the SUPERantispyware log3. the combofix log4. a new hijackthis log5. some idea of how your machine is running now

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

BMAC23

Posted 26 April 2008 - 08:23 PM

BMAC23

Member

Topic Starter

Member

11 posts

I forgot to make a log of the anti-spyware, but it found nothing. As far as my computer, I am still having the same problems. Many of my programs either don't open or say they are not installed properly. However I cannot uninstall/reinstall them, because they do not show up in the add/remove programs list. These are programs I had been using for years w/o incident before this. Also, my Outlook Express still does not import mail (It says "congratulations on importing your mail" -- but nothing happens)

Jotti logs

File: spmsg2.dllStatus: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)MD5: 37044da1f53a8a6e5c54fca4c974511aPackers detected: -Bit9 reports: No threat detected (more info)Scanner resultsScan taken on 26 Apr 2008 23:03:35 (GMT)A-Squared Found nothingAntiVir Found nothingArcaVir Found nothingAvast Found nothingAVG Antivirus Found nothingBitDefender Found nothingClamAV Found nothingCPsecure Found nothingDr.Web Found nothingF-Prot Antivirus Found nothingF-Secure Anti-Virus Found nothingFortinet Found nothingIkarus Found nothingKaspersky Anti-Virus Found nothingNOD32 Found nothingNorman Virus Control Found nothingPanda Antivirus Found nothingSophos Antivirus Found nothingVirusBuster Found nothingVBA32 Found nothing

File: 103C_HP_CPC_RE476AA-ABA_SR2050NX_NA680_YC_0Pres_QCNH641_E64NAemREA3_48_IAsterope3_SHewleet-Packard_V1.0_B3.16_T060622_WXP2_L409_M960_J250_7Intel_8Pentium_D_92.8_#061213_N10EC8139_Z14F12F20_G10025A61.MRKStatus: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)MD5: eadf7d8203668646d7bd4f1879334d86Packers detected: -Bit9 reports: File not foundScanner resultsScan taken on 26 Apr 2008 23:11:24 (GMT)A-Squared Found nothingAntiVir Found nothingArcaVir Found nothingAvast Found nothingAVG Antivirus Found nothingBitDefender Found nothingClamAV Found nothingCPsecure Found nothingDr.Web Found nothingF-Prot Antivirus Found nothingF-Secure Anti-Virus Found nothingFortinet Found nothingIkarus Found nothingKaspersky Anti-Virus Found nothingNOD32 Found nothingNorman Virus Control Found nothingPanda Antivirus Found nothingSophos Antivirus Found nothingVirusBuster Found nothingVBA32 Found nothing

andrewuk

Posted 28 April 2008 - 12:45 AM

once you have done the steps below, post back in the other part of the forum and say your machine is now clear of malware.

in this post we will clear away the fix tools (this is so that should you ever be re-infected, you will download updated versions and it will also remove the quarantined Malware from your computer), reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.

====STEP 1====clearing away the fix tools:

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN

Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

you can clear away any other remaining fix tools we used also.

====STEP 2====Resetting the Restore Points:

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

====IDEAS TO SPEED UP YOUR MACHINE====this page http://users.telenet...owcomputer.html gives some good ideas on how to improve the efficiency of your machine and has one or two useful links to help your further.

====AND FINALLY====The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

SpywareBlaster - Great prevention tool to keep nasties from installing on your system.

SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein